How Does SIEM Work?
- Written by: Colton Bachman
What is a SIEM?
SIEM is an acronym for security information and event management, which utilizes software to provide real-time event analysis of devices on a network. SIEM aggregates information from devices and interprets key attributes (IP’s, users, event types, memory, processes, ports, etc.) that are correlated to identify security incidents or issues. Devices, including firewalls, servers, IPS/IDS, anti-virus, spam filters, etc., generate event logs, which are delivered to the SIEM for analysis.
SIEM software can be used to assist in validating and meeting compliance requirements such as HIPAA and PCI. Network availability, configuration issues, and performance can also be monitored; for instance, when a server cannot be reached or is utilizing too many resources outside of normal boundaries, an incident is created and the proper user can be notified.
How does SIEM work?
SIEM works first by gathering all the event logs from configured devices. The logs are sent to a collector, which typically runs on a virtual machine inside the host network. Next, the logs are securely sent from the collector to the SIEM. The SIEM consolidates the logs, parses each log, and categorizes them into event types, such as successful and failed logons, exploit attempts, malware activity, and port scans. These event types are then ran against rulesets to determine if there is any illegitimate traffic. An alert will be created if a rule is triggered.
For example, if someone has 20 failed logon attempts in 10 minutes it could be seen as suspicious. However, it would likely create a low-priority incident, as there is a fair probability that a user has simply forgotten their new password. Now, if the user has experienced 100 failed logons followed by a success within a certain time frame, a high severity incident could be generated. This would likely indicate a successful brute-force attack.
SIEM is able to perform these powerful correlations based on the large variety of devices sending data to the correlation engine for monitoring. In addition to parsing key attributes from each raw log, SIEM is able to identify event types. Event types are broken into categories such as login failures, account changes, permitted/denied traffic, malware, and exploits, etc. Logic is then added to identify patterns of information, quantities of events, or intervals of time in which conditions are met. This information is gathered to create alert triggers for incidents. As a result, the SIEM is able to identify threats based on correlations of multiple events, which by themselves wouldn’t necessarily provide attack indicators.
Benefits to using a SIEM
Visibility into a network can be the key to understanding and stopping an attack. Real-time monitoring allows for greater insight and reduced response times. Compliance requirements and administrative operations can be accomplished utilizing the reporting tools in SIEM. For example, if you wanted to view all failed VPN logons for your organization, you can schedule reports or run them on demand. Log data is typically stored within the system and can be leveraged for historical analysis or investigations. Perhaps an incident occurred 10 months ago, a SIEM could provide audit records and activity reports via a single interface.
The biggest benefit of all may be the peace of mind that is provided through having a complete understanding of the activity on your network. Without proper event log monitoring, you exponentially increase the risk that a compromise will occur unnoticed. SIEM gives you the ability to increase your overall security posture by adding an additional layer to your defenses.